Add any usernames that should not be deleted to the dictUsersToIgnore list. MATCH_EXACT means that the username is matched exactly. MATCH_LEFT means that only the leftmost portion of username will be matched (i.e. imagine that the name match has a "*" after it).

This script is suitable for assiging as an AD startup script. Be careful how you scope it-- it can really ruin your day if you run it in the wrong place.

How is 'Restricted Groups' policy going to help with logons using local user accounts? Are you thinking of trying to remove the local user accounts from each machines' 'Users' group?
–
Evan AndersonDec 22 '09 at 3:56

I am using this feature to replace local admins with the ones I define. Theoretically you can remove local Users with this feature.
–
Taras ChuhayDec 22 '09 at 20:36

Explicitly define the GPO "Deny Logon Locally" to block all users that you wish to deny, and apply that to the OU that they live in... It may take a bit of jiggery-pokery to your AD schema, but that should solve all your issues...

There wouldn't be any modification to the AD schema required to do what you're talking about. (Modification to the AD schema is a fairly serious affair. Your batting around the terminology so loosely makes me think you don't know what you're talking about.) If the poster is going to go to all of the trouble of locating the SIDs for all of the local user accounts in all the SAM databases on all the PCs to add them to a GPO why not just go ahead and delete the local user accounts?
–
Evan AndersonDec 22 '09 at 13:58

I used schema in the loosest sense of the word, not in the AD sense, you're right, that is a serious business. Having read the OP again, I thought he was trying to block domain users from logging on locally, which would be a relatively easy thing to prevent... Teach me to try and answer things before my morning coffee...
–
Ed MorganDec 23 '09 at 8:42